Thursday, 7 March 2013

O2's TU Go app - NOT Secure

I was impressed by O2's TU Go app - it provides for using of your O2 number (for calls and SMS) on different devices (iOS: iPad, iPhone, Android, and Win7) - over WiFi or GSM. It's nice to be able to use Wifi only devices or Wifi only locations to make and receive calls.

However if one reads the fine print of their terms and conditions (item 13) it says that calls over WiFi are NOT secured. I was a bit concerned so I dug further... I ran TU Go and captured the packet stream and sure enough, whilst the signalling protocol is secured using TLS, the audio stream is just using plain old G.711 on RTP which I could playback quite nicely using Wireshark.

So only use TU Go on your secured home network or over a VPN unless you're not concerned about people listening in.

I should also point out that the average SIP/VoIP phone is actually worse as it not only leaves the audio in the clear but also the signalling.

On the other hand Skype and Facetime encrypt the majority of the traffic.